Professional Documents
Culture Documents
ASIS SPC.1-2009 Item No. 1842 PDF
ASIS SPC.1-2009 Item No. 1842 PDF
Organizational Resilience:
Security, Preparedness, and Continuity
Management Systems–Requirements with
Guidance for Use
ASIS SPC.1-2009
AMERICAN NATIONAL
STANDARD
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
ASIS SPC.1-2009
Abstract
A comprehensive management systems approach for security, preparedness, response, mitigation,
business/operational continuity, and recovery for disruptive incidents resulting in an emergency, crisis, or disaster.
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
ASIS International standards and guideline publications, of which the document contained herein is one, are
developed through a voluntary consensus standards development process. This process brings together volunteers
and/or seeks out the views of persons who have an interest in the topic covered by this publication. While ASIS
administers the process and establishes rules to promote fairness in the development of consensus, it does not write
the document and it does not independently test, evaluate, or verify the accuracy or completeness of any information
or the soundness of any judgments contained in its standards and guideline publications.
ASIS is a voluntary, nonprofit professional society with no regulatory, licensing or police power over its members.
ASIS does not undertake a duty to third parties because it does not have the authority to enforce compliance with its
standards. It assumes no duty of care to the general public, because its standards are not obligatory and because it
does not monitor the use of those standards.
ASIS disclaims liability for any personal injury, property, or other damages of any nature whatsoever, whether
special, indirect, consequential, or compensatory, directly or indirectly resulting from the publication, use of,
application, or reliance on this document. ASIS disclaims and makes no guaranty or warranty, expressed or implied,
as to the accuracy or completeness of any information published herein, and disclaims and makes no warranty that
the information in this document will fulfill any person’s or entity’s particular purposes or needs. ASIS does not
undertake to guarantee the performance of any individual manufacturer or seller’s products or services by virtue of
this standard or guide.
In publishing and making this document available, ASIS is not undertaking to render professional or other services
for or on behalf of any person or entity, nor is ASIS undertaking to perform any duty owed by any person or entity to
someone else. Anyone using this document should rely on his or her own independent judgment or, as appropriate,
seek the advice of a competent professional in determining the exercise of reasonable care in any given
circumstances. Information and other standards on the topic covered by this publication may be available from other
sources, which the user may wish to consult for additional views or information not covered by this publication.
ASIS has no power, nor does it undertake to police or enforce compliance with the contents of this document. ASIS
has no control over which of its standards, if any, may be adopted by governmental regulatory agencies, or over any
activity or conduct that purports to conform to its standards. ASIS does not list, certify, test, inspect, or approve any
practices, products, materials, designs, or installations for compliance with its standards. It merely publishes
standards to be used as guidelines that third parties may or may not choose to adopt, modify or reject. Any
certification or other statement of compliance with any information in this document shall not be attributable to ASIS
and is solely the responsibility of the certifier or maker of the statement.
All rights reserved. Permission is hereby granted to individual users to download this document for their own
personal use, with acknowledgement of ASIS International as the source. However, this document may not be
downloaded for further copying or reproduction nor may it be sold, offered for sale, or otherwise used commercially.
ISBN: 978-1-887056-92-2
ii
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
FOREWORD
The information contained in this Foreword is not part of this American National Standard (ANS) and has not been
processed in accordance with ANSI’s requirements for an ANS. As such, this Foreword may contain material that has
not been subjected to public review or a consensus process. In addition, it does not contain requirements necessary
for conformance to the Standard.
ANSI guidelines specify two categories of requirements: mandatory and recommendation. The mandatory
requirements are designated by the word shall and recommendations by the word should. Where both a mandatory
requirement and a recommendation are specified for the same criterion, the recommendation represents a goal
currently identifiable as having distinct compatibility or performance advantages.
ASIS International (ASIS) is the preeminent organization for security professionals, with more than 37,000 members
worldwide. Founded in 1955, ASIS is dedicated to increasing the effectiveness and productivity of security
professionals by developing educational programs and materials that address broad security interests. ASIS also
advocates the role and value of the security management profession to business, the media, government entities, and
the public. By providing members and the security community with access to a full range of programs and services,
ASIS leads the way for advanced and improved security performance.
The work of preparing ASIS Standards is carried out through the ASIS International Standards and Guidelines
Commission committees. Each member interested in a subject for which a technical committee has been established
has the right to be represented on that committee.
The Guidelines Program of ASIS International has received a Designation award under the Support Anti-terrorism
by Fostering Effective Technology Act of 2002 (the SAFETY Act) from the U.S. Department of Homeland Security.
Specifically, the SAFETY Act designation limits ASIS' liability for acts arising out of the use of the guidelines in
connection with an act of terrorism and precludes claims of third party damages against organizations using the
guidelines as a means to prevent or limit the scope of terrorist acts.
The ASIS International Organizational Resilience: Security, Preparedness and Continuity Management Systems Standard
incorporates the guidance provided in the ASIS International Business Continuity Guideline: A Practical Approach for
Emergency Preparedness, Crisis Management, and Disaster Recovery, 2005. For additional information, the Business
Continuity Guideline should be consulted. This best practices standard provides generic auditable criteria and
informative guidance on prevention, preparedness (readiness), mitigation, response, continuity, and recovery from
disruptive incidents with a potential to escalate into an emergency, crisis, or disaster.
Suggestions for improvement of this document are welcome. They should be sent to ASIS International, 1625 Prince
Street, Alexandria, VA 22314-2818, USA.
Commission Members
Jason L. Brown, Thales Australia
Steven K. Bucklin, Glenbrook Security Services, Inc.
John C. Cholewa III, CPP, Embarq Corporation
Cynthia P. Conlon, CPP, Conlon Consulting Corporation
Michael A. Crane, CPP, IPC International Corporation
Eugene F. Ferraro, CPP, PCI, CFE, Business Controls Inc.
F. Mark Geraci, CPP, Bristol-Myers Squibb Co., Chair
Robert W. Jones, Kraft Foods, Inc.
Michael E. Knoke, CPP, Express Scripts, Inc., Vice Chair
John F. Mallon, CPP
Marc H. Siegel, Ph.D, ASIS Security Management System Consultant
Roger D. Warwick, CPP, Pyramid International
iii
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
At the time it approved this document, SPC Standards Committee, which is responsible for the development of this
Standard, had the following members:
Committee Members
Committee Chairman: Marc H. Siegel, Ph.D., ASIS Security Management System Consultant
Committee Secretariat: Sue Carioti, ASIS International
Paul H. Aube, CCP, Federation C.J.A. James J. Leflar Jr., CPP, CBCP, Johns Hopkins University
Don Aviv, PSP, CPP, PCI, Interfor Inc. Edward M. Levy, CIT Group Inc.
William D. Badertscher, CPP, BMP, Georgetown University Adam W. Loomis, Bechtel National Inc.
Pradeep Bajaj, OSSIM Kim M. Loy-Curto, PSP, G4S Technology
Jay C. Beighley, CPP, Nationwide Insurance James E. Lukaszewski, The Lukaszewski Group Inc.
Dennis R. Blass, CPP, PSP, Sec Engineers University of Alabama Raymond R. McGill, CPP, Care Security Systems
Thomas Bozek, Bozek Consulting LLC Benjamin P. McGregor, Visual Defence
Jerry Brashear, Ph.D., ASME James E. McNeil, CPP, Mayo Clinic
Jerry J. Brennan, Security Management Resources Mohamed F. Meddeb, Linuhonnun Consulting Eng.
Richard C. Bryant, CBCP, CSE, Verizon Communications David A. Moore, PE, CSP, AcuTech Consulting Group
Frederick A. Budde, Federal Air Marshal Service Dante I. Moriconi, CPP, PSP, Administaff
Doyle J. Burke, CPP, Delphi Corporation/Securitas Eric H. Morse, Morse, Lattice Semiconductor Corp.
Sharon Caudle, Ph.D., Texas A&M University Richard E. Moulton, CPP, PSP, AlliedBarton
Jorge L. Checo, Gap Inc. Doug Nelson, EMS Solutions
Nancy A. Cohen, CPA, CITP, CIPP, AICPA Joseph C. Nelson, CPP, J Nelson, Consultant
Leah A. Core, MBCP, Godaddy.com Alan M. Nutes, CPP, Consultant
Hugues Costes, ArcelorMittal FCE Augustine O. Okereke, CPP, St. Alphonsus Catholic Church
Robert J. Coullahan, CPP, CEM, CBCP, Readiness Resource John A. Petruzzi, Jr., CPP, CISM, Simon Property Group
Group Inc. Daniel W. Phillips, PSP, Naval Undersea Warfare Center
Maria G. Dominguez, CPP, Bank of America Wade R. Pinnell, CPP, Huffmaster Crisis Response, LLC
Warren C. Edwards, Oak Ridge National Laboratory Joseph L. Rector, CPP, PSP, PCI, USAF/316th Security Forces
Eduard J. Emde, CPP, CISSP, Interseco Squadron
Linda J. Fite, CPP, University MN Medical Center Fairview Scott Richter, ANAB
Steven Foster, CPP, PCI, Business Controls Inc. Robert W. Rogalski, RAND Corporation
David H. Gilmore, CPP, Colonial Safeguards Inc. Bernard J. Scaglione, CPP, New York Presbyterian Hospital
Jeffrey P. Grossmann, Esq., St Johns University Michael Severin, Securitas Security Services
Steve Hather, Shadexi Consulting Rose M. Shyman, Pricewaterhouse Coopers LLP
Robert M. Hayworth, CPP, Titan America LLC Austin L. Smith, Department of Homeland Security
Ricky S. Henson, CPP, Headquarters, Federal Protective Service Tony Webster Smith, Sustainability Pty Ltd.
John A. Hill, Ph.D, University of Denver David L. Stackleather, Circuit City Stores Inc.
Michael Johnson, CISSP, CISM, HISP, Security Assurance Eugene C. Sticco, Jr., Shell International B V
Advisors, LLC Mark L. Theisen, CPP, Thrivent Financial
Linda J. Kelly, Vector Security, Inc. Penny Turnbull, Ph.D. CBCP, Marriott International Inc.
Donald E. Knox, CPP, Caterpillar Inc. Stephen Twomey, Diamond Resorts International
Scott Kohsel, ROK Systems Inc. Robert M. Weronik, CPP, CHPA, General Electric Company
Konstantinos Kyrifidis, CPP, PSP, Security Advisory Michele Yoder, Analex Corporation
Robert F. Lang, CPP, Kennesaw State University
William D. Badertscher, CPP, BMP, Georgetown University James J. Leflar Jr., CPP, CBCP, Johns Hopkins University
Dennis R. Blass, CPP, PSP, Sec Engineers University of Alabama Doug Nelson, EMS Solutions
Sharon Caudle, Ph.D., Texas A&M University Alan M. Nutes, CPP, Consultant
iv
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
TABLE OF CONTENTS
TABLE OF CONTENTS ................................................................................................................................................................V
TABLE OF FIGURES...................................................................................................................................................................VI
TABLE OF TABLES ....................................................................................................................................................................VI
0 INTRODUCTION ...................................................................................................................................................................VII
0.1 GENERAL ...................................................................................................................................................................................vII
0.2 PROCESS APPROACH ....................................................................................................................................................................VII
1 SCOPE.................................................................................................................................................................................. 1
2 NORMATIVE REFERENCES .................................................................................................................................................... 2
GENERAL REFERENCE ......................................................................................................................................................................... 2
PARALLEL OR INTEGRATED APPLICATION OF A NUMBER OF SYSTEMS ............................................................................................................. 2
3 TERMS AND DEFINITIONS ................................................................................................................................................... 3
4 ORGANIZATIONAL RESILIENCE (OR) MANAGEMENT SYSTEM REQUIREMENTS .................................................................... 4
4.1 GENERAL REQUIREMENTS ............................................................................................................................................................. 4
4.1.1 Scope of OR Management System ................................................................................................................................ 5
4.2 ORGANIZATIONAL RESILIENCE (OR) MANAGEMENT POLICY .................................................................................................................. 5
4.2.1 Policy statement............................................................................................................................................................. 6
4.2.2 Management Commitment............................................................................................................................................ 6
4.3 PLANNING ................................................................................................................................................................................. 7
4.3.1 Risk Assessment and Impact Analysis............................................................................................................................. 7
4.3.2 Legal and Other Requirements....................................................................................................................................... 7
4.3.3 Objectives, Targets, and Program(s) .............................................................................................................................. 8
4.4 IMPLEMENTATION AND OPERATION................................................................................................................................................. 9
4.4.1 Resources, Roles, Responsibility, and Authority ............................................................................................................. 9
4.4.2 Competence, Training, and Awareness ........................................................................................................................ 10
4.4.3 Communication and Warning ...................................................................................................................................... 10
4.4.4 Documentation............................................................................................................................................................. 11
4.4.5 Control of Documents................................................................................................................................................... 11
4.4.6 Operational Control...................................................................................................................................................... 12
4.4.7 Incident Prevention, Preparedness, and Response ....................................................................................................... 12
4.5 CHECKING (EVALUATION) ............................................................................................................................................................ 14
4.5.1 Monitoring and Measurement ..................................................................................................................................... 14
4.5.2 Evaluation of Compliance and System Performance .................................................................................................... 14
4.5.2.1 Evaluation of Compliance......................................................................................................................................... 14
4.5.2.2 Exercises and Testing................................................................................................................................................ 14
4.5.3 Nonconformity, Corrective Action, and Preventive Action ........................................................................................... 15
4.5.4 Control of Records ........................................................................................................................................................ 15
4.5.5 Internal Audits.............................................................................................................................................................. 15
4.6 MANAGEMENT REVIEW .............................................................................................................................................................. 16
4.6.1 General......................................................................................................................................................................... 16
4.6.2 Review Input................................................................................................................................................................. 16
4.6.3 Review Output.............................................................................................................................................................. 17
4.6.4 Maintenance ................................................................................................................................................................ 17
4.6.5 Continual Improvement................................................................................................................................................ 17
A GUIDANCE ON THE USE OF THE STANDARD .......................................................................................................................18
A.0 INTRODUCTION ........................................................................................................................................................................ 18
A.1 GENERAL REQUIREMENTS............................................................................................................................................................ 20
A.2 ORGANIZATIONAL RESILIENCE (OR) MANAGEMENT POLICY ................................................................................................................ 21
v
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
TABLE OF FIGURES
FIGURE 1: PLAN‐DO‐CHECK‐ACT MODEL ................................................................................................................................................. VIII
FIGURE 2: ORGANIZATIONAL RESILIENCE (OR) MANAGEMENT SYSTEM FLOW DIAGRAM........................................................................................ 4
TABLE OF TABLES
TABLE 1: CORRESPONDENCE BETWEEN ISO 9001:2000, ISO 14001:2004, ISO 27001:2005, AND THIS STANDARD OF BEST PRACTICES ................. 42
TABLE 2: VERBAL FORMS FOR THE EXPRESSION OF PROVISIONS........................................................................................................................ 44
vi
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
0 INTRODUCTION
0.1 General
This management system Standard (referred to as the “Standard”) has applicability in the
private, not-for-profit, non-governmental, and public sector environments. It is a management
framework for action planning and decision making needed to anticipate, prevent if possible,
and prepare for and respond to a disruptive incident (emergency, crisis, or disaster). It
enhances an organization’s capacity to manage and survive the event, and take all appropriate
actions to help ensure the organization’s continued viability. Regardless of the organization, its
leadership has a duty to stakeholders to plan for its survival. The body of this document
provides generic auditable criteria to establish, check, maintain, and improve a management
system to enhance prevention, preparedness (readiness), mitigation, response, continuity, and
recovery from disruptive incidents.
This Standard is designed so that it can be integrated with quality, safety, environmental,
information security, risk, and other management systems within an organization. A suitably
designed management system can thus satisfy the requirements of all these standards (see
Annex B). Organizations that have adopted a process approach to management systems (e.g.,
according to ISO 9001:2000, ISO 14001:2004, and/or ISO/IEC 27001:2005) may be able to use their
existing management system as a foundation for the organizational resilience (OR) management
system as prescribed in this Standard.
vii
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
This Standard adopts the "Plan-Do-Check-Act" (PDCA) model, which is applied to structure the
OR management system processes. The PDCA model is sometimes referred to as the APCI
(Assess-Protect-Confirm-Improve) Model. Figure 1 illustrates how an OR management system
takes as input the OR management requirements and expectations of the interested parties and
through the necessary actions and processes produces risk management outcomes that meet
those requirements and expectations. Figure 1 also illustrates the links in the processes
presented in clause 4.
Plan
Stakeholders Define & Analyze a Stakeholders
and Interested Problem and Identify and
Parties the Root Cause Interested
Parties
Do
Act
Devise a Solution
Standardize Solution
Develop Detailed Action
Review and Define
Next Issues Plan & Implement It
Systematically
Check
Organizational
Resilience Confirm Outcomes
Managed risk
Management Against Plan
Systems Identify Deviations
Requirements and and Issues
Expectations
viii
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
Do
Implement and operate the management system policy, controls, processes, and
(implement and
operate the procedures.
management system)
Check
Assess and measure process performance against management system policy,
(monitor and review the objectives, and practical experience and report the results to management for review.
management system)
Act
Take corrective and preventive actions, based on the results of the internal management
(maintain and improve system audit and management review, to achieve continual improvement of the
the management management system.
system)
Compliance with this Standard can be verified by an auditing process that is compatible and
consistent with the methodology of ISO 9001:2000, ISO 14001:2004, and/or ISO/IEC 27001:2005,
and the PDCA Model.
ix
AMERICAN NATIONAL STANDARD ASIS SPC.1-2009
1. SCOPE
This Standard specifies requirements for an organizational resilience (OR) management system to
enable an organization to develop and implement policies, objectives, and programs taking into
account legal requirements and other requirements to which the organization subscribes, information
about significant hazards and threats that may have an impact on it (and its stakeholders’), and
protection of critical assets (physical, intangible, environmental, and human). This Standard applies to
risks and/or their impacts that the organization identifies as those it can control, influence, or reduce. It
does not itself state specific performance criteria.
This Standard is applicable to any organization that wishes to:
a) Establish, implement, maintain, and improve an OR management system;
b) Assure itself of its conformity with its stated OR management policy;
c) Demonstrate conformity with this Standard by:
i. Making a self-determination and self-declaration; or
ii. Seeking confirmation of its conformance by parties having an interest in the
organization (such as customers); or
iii. Seeking confirmation of its self-declaration by a party external to the organization; or
iv. Seeking certification/registration of its OR management system by an external
organization.
All the requirements in this Standard are intended to be incorporated into any type of organization’s OR
management system. It provides all the elements required to integrate management, technology,
facilities, processes, and people into the resilience culture, risk management, and OR management
system of an organization. The extent of the application will depend on factors such as the risk
tolerance and policy of the organization; the nature of its activities, products, and services; and the
location where, and the conditions in which, it functions.
This Standard provides generic requirements as a framework, applicable to all types of organizations
(or parts thereof) regardless of size and nature of operation. It provides guidance for organizations to
develop their own specific performance criteria, enabling the organization to tailor and implement an
OR management system appropriate to its needs and those of its stakeholders.
1
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
The Standard emphasizes resilience, the adaptive capacity of an organization in a complex and
changing environment, as well as protection of critical assets. Applying this Standard positions an
organization to more readily prepare for and respond to all manner of intentional, unintentional,
and/or naturally-caused disruptive events – which, if unmanaged, could escalate into an emergency,
crisis, or disaster. It covers all phases of incident management before, during, and after a disruptive
event.
This Standard enables an organization to:
a) Develop a prevention, preparedness, and response/continuity/recovery policy;
b) Establish objectives, procedures, and processes to achieve the policy commitments;
c) Assure competency, awareness, and training;
d) Set metrics to measure performance and demonstrate success;
e) Take action as needed to improve performance;
f) Demonstrate conformity of the system to the requirements of this Standard; and
g) Establish and apply a process for continual improvement.
2. NORMATIVE REFERENCES
The following standards contain provisions which, through reference in this text, constitute provisions
of this American National Standard. At the time of publication, the editions indicated were valid. All
standards are subject to revision, and parties to agreements based on this American National Standard
are encouraged to investigate the possibility of applying the most recent editions of the standards
indicated below.
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
NOTE: All documents below are available from the International Organization for Standardization.
< http://www.iso.ch/iso/en/prods-services/ISOstore/store.html >
2
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
3
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
4
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
The organization shall define the scope consistent with protecting and preserving the integrity of the
organization and its relationships with stakeholders, including interactions with key suppliers,
outsourcing partners, and other stakeholders (for example, the organization’s supply chain partners
and suppliers, customers, stockholders, the community in which it operates, etc.).
A Statement of Applicability shall define the strategic weighting of security management, preparedness,
emergency management, disaster management, crisis management, and business continuity
management in developing the management system, based on the risk assessment and impact analysis
(see 4.3.1).
5
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
g) Deciding the criteria for accepting risks and the acceptable levels of risk;
h) Ensuring that internal OR management system audits are conducted;
i) Conducting management reviews of the OR management system; and
j) Demonstrates its commitment to continual improvement.
4.3 Planning
4.3.1 Risk Assessment and Impact Analysis
The organization shall establish, implement, and maintain a formal and documented evaluation
process:
a) To systematically conduct asset identification and valuation to identify the organization’s
critical activities, functions, services, products, partnerships, supply chains, stakeholder
relationships, and the potential impact related to a disruptive incident based on risk scenarios;
b) To identify intentional, unintentional, and naturally-caused hazards and threats that have a
potential for direct or indirect impact on the organization’s operations, functions, and human,
intangible, and physical assets; the environment; and its stakeholders;
c) To systematically analyze risk, vulnerability, criticality, and impacts (consequences);
d) To systematically analyze and prioritize risk controls and treatments and their related costs; and
e) To determine those risks that have a significant impact on activities, functions, services,
products, stakeholder relationships, and the environment (i.e., significant risks and impacts).
7
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
When establishing and reviewing its objectives and targets, an organization shall consider the legal,
regulatory, and other requirements; its significant risks and impacts; its technological options; its
financial, operational, and business requirements; and the views of stakeholders and other interested
parties.
The organization shall establish and maintain one or more strategic program(s) for achieving its
objectives and targets. The program(s) shall include:
a) Designation of responsibility and resources for achieving objectives and targets at relevant
functions and levels of the organization;
b) Consideration of its activities, functions, regulatory or legal requirements, contractual
obligations, stakeholders’ needs, mutual aid agreements, and environment; and
c) The means and time-frame by which they are to be achieved.
The organization shall establish and maintain one or more strategic program(s) for:
a) Prevention and deterrence - Avoid, eliminate, deter, or prevent the likelihood of a disruptive
incident and its consequences, including removal of human or physical assets at risk.
b) Mitigation - Minimize the impact of a disruptive incident.
c) Emergency response - The initial response to a disruptive incident involving the protection of
people and property from immediate harm. An initial reaction by management may form part
of the organization’s first response.
8
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
d) Continuity - Processes, controls, and resources are made available to ensure that the
organization continues to meet its critical operational objectives.
e) Recovery - Processes, resources, and capabilities of the organization are re-established to meet
ongoing operational requirements within the time period specified in the objectives.
The organization should evaluate its strategic program(s) to determine if these measures have
introduced new risks.
The organization shall develop financial and administrative procedures to support the OR
management program before, during, and after an incident. Procedures shall be:
a) Established to ensure that fiscal decisions can be expedited; and
b) In accordance with established authority levels and accounting principles.
9
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
The organization shall build, promote, and embed an OR management culture within the organization
that:
a) Ensures the OR management culture becomes part of the organization’s core values and
organization governance; and
b) Makes stakeholders aware of the OR management policy and their role in any plans.
10
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
The organization shall decide, based on life safety as the first priority and in consultation with
stakeholders, whether to communicate externally about its significant risks and impacts and document
its decision. If the decision is to communicate, the organization shall establish and implement (a)
method(s) for this external communication, alerts, and warnings (including with the media).
The OR management communications systems shall be regularly tested.
4.4.4 Documentation
The OR management system documentation shall include:
a) The OR management policy, objectives, and targets;
b) Description of the scope of the OR management system;
c) Description of the main elements of the OR management system and their integration with
related documents;
d) Documents, including records, required by this Standard; and
e) Documents, including records, determined by the organization to be necessary to ensure the
effective planning, operation, and control of processes that relate to its significant risks.
11
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
The operational control procedures shall address reliability and resiliency, the safety and health of
people, and the protection of property and the environment impacted by a disruptive incident.
It is the responsibility of the organization to develop (an) incident prevention, preparedness and
response procedure(s) that suits its particular needs. In developing its procedure(s), the organization
should address its needs with regard to:
a) The nature of onsite hazards (e.g., flammable and toxic materials, storage tanks and compressed
gases) and measures to be taken in the event of a disruptive incident or accidental releases;
b) The nature of local, nearby, or other external hazards with a potential impact on the
organization;
c) The most likely type and scale of a disruptive incident;
12
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
d) The most appropriate method(s) for mitigation and emergency response to a disruptive incident
to avoid escalation to a crisis or disaster;
e) Procedures to prevent environmental damage,
f) Command and control procedures for and structure of pre-defined chain of command, (an)
emergency operations center(s), and/or (an) alternate worksite(s);
g) Procedures and authority to declare an emergency situation, initiate emergency procedures,
activate plans and actions, assess damage, and make financial decisions;
h) Internal and external communication plans including notification of appropriate authorities and
stakeholders;
i) Procedures to acquire and/or provide appropriate medical care;
j) The action(s) required to minimize human casualties, and physical and environmental damage;
k) The action(s) required to secure vital information, information systems, facilities, and people;
l) Mitigation and response action(s) to be taken for different types of disruptive incident(s) or
emergency situation(s);
m) The need for (a) process(es) for post-event evaluation to establish and implement corrective and
preventive actions;
n) Periodic testing of incident and emergency management and response procedure(s) and
processes;
o) Training of incident and emergency response personnel;
p) A list of key personnel and aid agencies, including contact details (e.g., fire department,
emergency medical services, law enforcement, hazardous material clean-up services);
q) Evacuation routes and assembly points including lists of personnel and contact details;
r) The potential for (a) disruptive incident or emergency situation(s) to affect or be affected by
critical infrastructure (e.g., electricity, water, communications, transportation);
s) The possibility of mutual assistance to and from neighboring organizations; and
t) Procedure(s) and action(s) required to recover each critical activity within the organization’s
recovery time objective and the resources that it requires for recovery.
The organization shall periodically review and, where necessary, revise its incident prevention,
preparedness, and response procedures – in particular, after the occurrence of accidents or incidents
that can escalate into an emergency, crisis, or disaster.
The organization shall ensure that any person(s) performing incident prevention, preparedness, and
response measures on its behalf are competent on the basis of appropriate education, training, or
experience, and retain associated records.
The organization shall document this information and updated it at a regular interval or as changes
occur.
13
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
14
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
f) Are conducted at planned intervals, and from time to time on a non-periodic basis as
determined by the management of the organization, as well as when significant changes occur
within the organization and the environment it operates in.
Actions taken shall be appropriate to the impact of the potential problems, and conducted in an
expedited fashion.
The organization shall identify changed risks, and identify preventive action requirements focusing
attention on significantly changed risks.
The priority of preventive actions shall be determined based on the results of the risk assessment and
impact analysis.
The organization shall make any necessary changes to the OR management system documentation.
An audit program shall be planned, taking into consideration the status and importance of the
processes and areas to be audited, as well as the results of previous audits. The audit criteria, scope,
frequency, and methods shall be defined. The selection of auditors and conduct of audits shall ensure
objectivity and impartiality of the audit process. Auditors shall not audit their own work.
The responsibilities and requirements for planning and conducting audits, and for reporting results
and maintaining records (see 4.5.4), shall be defined in a documented procedure.
The management responsible for the area being audited shall ensure that actions are taken without
undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include
the verification of the actions taken and the reporting of verification results.
16
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
4.6.4 Maintenance
Top management shall establish a defined and documented OR management system maintenance
program to ensure that any internal or external changes that impact the organization are reviewed in
relation to the OR management system. It shall identify any new critical activities that need to be
included in the OR management system maintenance program.
17
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
Annex A
(informative)
A.0 Introduction
Natural disasters, environmental accidents, technology mishaps, and man-made crises have historically
demonstrated that disruptive incidents can happen, impacting the public and private sectors alike. The
challenge goes beyond most emergency response plans or disaster management activities previously
deployed. Organizations now must engage in a comprehensive and systematic process of prevention,
preparedness, readiness, mitigation, response, continuity, and recovery. It is no longer enough to draft
a response plan that anticipates disasters or emergency scenarios. Today’s threats require the creation
of an on-going, dynamic, and interactive process that serves to assure the continuation of an
organization’s core activities before, during, and – most importantly – after a major crisis event.
This Standard provides organizations of all sizes and types with the elements needed to achieve and
demonstrate proactive risk reduction and organizational resilience performance related to their
physical facilities, services, activities, products, supply chains, and operational (business) continuity.
They do so within the context of:
a) Increasing security risks and threats;
b) More stringent legislation and regulation;
c) More competitive business realities;
d) Increasing interdependencies in society (on an organizational, functional, or jurisdictional
level);
e) Heightened awareness of the need for adequate emergency response and remediation planning;
f) Concerns of interested and affected parties; and
g) The need to assure operational continuity and resilience.
A disruptive incident not properly managed can rapidly escalate into an emergency, crisis, or even a
disaster. Preparing for an incident before it occurs can minimize its impact. An unmanaged disruptive
incident can taint an organization’s image, reputation, or brand in addition to resulting in significant
physical or environmental damage, injury, or loss of life. This Standard provides a framework to aid
organizations in successfully managing a disruptive incident by developing a strategy and action plan
to safeguard its interests and those of its stakeholders.
Proactive planning and preparation for potential incidents and disruptions will diminish both the
impact and length of the disruption. The holistic management process can help avoid and minimize
the suspension of critical services and operations, thereby allowing return to normal services and
operations as rapidly as possible.
18
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
This Standard provides guidance or recommendations for any organization in the private, not-for-
profit, and public sectors to identify and develop best practices to assist and foster action in:
a) Providing top management driven vision and leadership for strategies to protect assets and
assure the resilience of the organization;
b) Identifying and evaluating assets, services, and functions to determine the parts of the
operations and business that are critical to its short- and long-term success;
c) Identifying potential hazards and threats, and assessing risks and impacts;
d) Mitigating the impact of a wide variety of hazards and threats, including natural disasters,
technological and environmental accidents, and man-made disasters (terrorism and crime);
e) Understanding the roles and responsibilities needed to protect assets and further resilience;
f) Managing necessary incident/emergency preparedness and response resources;
g) Developing strategic alliances and mutual aid agreements;
h) Developing and maintaining incident/emergency preparedness and response plans, and
associated operational procedures;
i) Developing and conducting training and exercises to support and evaluate incident/emergency
preparedness, response plans, and operational procedures;
j) Developing and conducting training programs to implement preparedness, response plans, and
operations procedures;
k) Ensuring that relevant employees, customers, suppliers, and other stakeholders are aware of the
incident/emergency preparedness and response arrangements and (where appropriate) have
confidence in their application;
l) Developing internal and external communications procedures, including response to requests
for information from the media or the public;
m) Establishing metrics for measuring and demonstrating success;
n) Documenting the key resources, infrastructure, tasks, and responsibilities required to support
critical operational functions; and
o) Establishing processes that ensure the information remains current and relevant to the changing
risk and operational environments.
It is simply good business for an organization to protect its physical, virtual, and human assets. The
success of the management system depends on the commitment of all levels and functions in the
organization, especially the organization’s top management. Decision makers must be prepared to
budget for and secure the necessary resources to make this happen. It is necessary that an appropriate
administrative structure be put in place to effectively deal with prevention, mitigation, and
management. This will ensure that all concerned understand who makes decisions, how the decisions
are implemented, and what the roles and responsibilities of participants are. Personnel used for
incident management should be assigned to perform these roles as part of their normal duties and not
be expected to perform them on a voluntary basis. Regardless of the organization – for profit, not for
profit, faith-based, non-governmental – its leadership has a duty to stakeholders to plan for its survival.
19
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
An organization with no existing OR management system should establish its current position with
regard to its critical assets and potential risk scenarios by means of a review. The aim of this review
should be to consider all the organization’s hazards and threats and their associated risks and impacts
to critical assets as a basis for establishing the OR management system.
The review should cover four key areas:
a) Identification of risks, including those associated with normal operating conditions, abnormal
conditions including start-up and shut-down, and emergency situations and accidents.
b) Identification of applicable legal requirements and other requirements to which the
organization subscribes.
c) Examination of existing risk management practices and procedures, including those associated
with procurement and contracting activities.
d) Evaluation of previous emergency situations and accidents.
In all cases, consideration should be given to normal and abnormal operations and functions within the
organization, its relationships with relevant stakeholders, and to potential disruptive and emergency
conditions. Tools and methods for undertaking a review might include checklists, conducting
20
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
interviews, direct inspection and measurement, or results of previous audits or other reviews,
depending on the nature of the activities.
An organization has the freedom and flexibility to define its boundaries, and may choose to implement
this Standard with respect to the entire organization or to specific operating units of the organization.
The organization should define and document the scope of its OR management system.
Scoping is intended to clarify the boundaries of the organization to which the OR management system
will apply, especially if the organization is a part of a larger organization at a given location. Once the
scope is defined, all activities, products, and services of the organization within that scope need to be
included in the OR management system. In setting the scope, the credibility of the OR management
system will depend upon the choice of organizational boundaries. Where a part of an organization is
excluded from the scope of its OR management system, the organization should be able to explain the
exclusion.
If this Standard is implemented for a specific operating unit, policies and procedures developed by
other parts of the organization can be used to meet the requirements of this Standard, provided that
they are applicable to the specific operating unit that will be subject to it.
OR management involves issues and actions before, during, and after a disruptive incident. Therefore,
this Standard encompasses prevention, avoidance, deterrence, readiness, mitigation, response,
continuity, and recovery. The risk environment, as well as business/operational realities, focuses
different strategic weights on each of these components; however, no component should be weighted
zero. The Statement of Applicability should elucidate the strategic weighting of security management,
preparedness, emergency management, disaster management, crisis management, and business
continuity management in developing the management system, based on the risk assessment and
impact analysis (see 4.3.1).
The OR management policy forms the basis upon which the organization sets its objectives and targets.
The OR management policy should be sufficiently clear to be capable of being understood by internal
and external interested parties and should be periodically reviewed and revised to reflect changing
conditions and information. Its area of application (i.e., scope) should be clearly identifiable and should
reflect the unique nature, scale, and impacts of the risks of its activities, functions, products, and
services.
The OR management policy should be communicated to all persons who work for (or on behalf of) the
organization, including contractors working at an organization’s facility. Communication to
21
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
contractors can be in alternative forms to the policy statement itself, such as rules, directives, and
procedures, and may therefore only include pertinent sections of the policy. The organization’s OR
management policy should be defined and documented by its top management within the context of
the OR management policy of any broader corporate body of which it is a part and with the
endorsement of that body.
It is essential that top management of the organization sponsors, provides the necessary resources, and
takes responsibility for creating, maintaining, testing, and implementing a comprehensive OR
management system. This will insure that management and staff at all levels within the organization
understand that the OR management system is a critical top management priority. It is equally
essential that top management engage a “top down” approach to the OR management system, so that
management at all levels of the organization understand accountability for effective and efficient plan
maintenance as part of the overall governance priorities.
An OR Management Planning Team – including senior leaders from all major organizational functions
and support groups – should be appointed to ensure wide-spread acceptance of the OR management
system.
A.3 Planning
A.3.1 Risk Assessment and Impact Analysis
Clause 4.3.1 is intended to provide a process for an organization to identify hazards, threats, risks, and
impacts to determine those that are significant and which should be addressed as a priority by the
organization’s OR management system.
Critical activities, functions, obligations, and processes should be identified and documented.
Examples include purchasing, manufacturing, supply chain, sales, distribution, accounts receivable,
accounts payable, payroll, information technology, and research and development. Once the critical
processes and functions are identified, an analysis of each can be made using the evaluation criteria.
Organizations may select categories of activities, products, and services to identify their criticality,
risks, and impacts.
An organization should conduct a comprehensive risk assessment and impact analysis within the scope
of its OR management system, taking into account the inputs and outputs (both intended and
unintended) associated with:
a) Its current and relevant past activities, products, and services;
b) Planned or new developments, or new or modified activities, functions, products, and services;
c) Relations with stakeholders;
d) Interactions with the environment and community; and
e) Critical infrastructure.
This process should consider normal and abnormal operating conditions, shut-down and start-up
conditions, as well as reasonably foreseeable disruptive and emergency situations in order to set
recovery time objectives and respond to recovery time requirements.
22
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
There are many approaches and methodologies to risk assessment and impact analysis that will
determine the order of the analysis steps adopted. Regardless of the methodology, the organization
should have a formal and documented evaluation process threat and hazard identification; and risk,
vulnerability, criticality, consequence, and impact analysis.
The risk assessment and impact analysis should:
a) Give consideration to risks related to and criticality of the organization’s activities, functions,
products, and services and their potential for direct or indirect impact on the organization’s
operations, people, property, assets, compensation, image and reputation, profit, credit, and/or
environment.
b) Use a documented quantitative or qualitative methodology to estimate likelihood or probability
of the identified potential risks and significance of their impacts if they are realized.
c) Be based on reasonable criteria by giving due consideration to all potential risks it recognizes to
its operations.
d) Consider its dependencies on others and others dependencies on the organization, including
critical infrastructure and supply chain dependencies and obligations.
e) Consider data and telecommunications integrity and cyber security.
f) Evaluate the consequences of legal and other obligations which govern the organization’s
activities.
g) Consider risks associated with stakeholders, contractors, suppliers, and other affected parties.
h) Analyze information on risks, and select those risks which may cause significant consequences
and/or those risks whose consequence is hard to be determined in terms of significance.
i) Analyze and evaluate the level of resilience of each hazard or threat and each critical asset.
j) Evaluate risks and impacts it can control and influence. (However, in all circumstances it is the
organization that determines the degree of control and its strategies for risk acceptance,
avoidance, management, minimization, tolerance transfer, and/or treatment.)
In some locations, critical infrastructure, societal assets, and cultural heritage may be an important
element of the surroundings in which an organization operates, and therefore should be taken into
account in the understanding of its impacts on surroundings.
Since an organization might have many risks and impacts, it should establish and document criteria
and a methodology to determine those that it will consider significant. There is no single method for
determining significant risks and impacts. However, the method used should provide consistent results
and include the establishment and application of evaluation criteria, such as those related to criticality
of each organizational activity and function, legal issues, and the concerns of internal and external
stakeholders. An organization should analyze impacts of disruptions to its operations and identify
critical operations that are given high priority for restoration, in order to set up recovery time
objectives.
When assessing impacts the organizations should consider:
a) Human cost: Physical and psychological harm to employees, customers, suppliers, and other
stakeholders.
23
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
b) Financial cost: Equipment and property replacement, downtime, overtime pay, stock
devaluation, lost sales/business, lawsuits, regulatory fines/penalties, etc.
c) Corporate image cost: Reputation, standing in the community, negative press, loss of customers,
etc.
d) Economic losses to the community in which the organization operates: Indirect impacts on the regional
economy, reduction in the regional net economy, losses to the tax base of local jurisdictions, etc.
e) Environmental impacts: Degradation to the quality of the environment or to endangered species.
Maximum acceptable outage time and recovery time objectives should be based on:
a) How long processes can be nonfunctional before impacts become unacceptable.
b) How soon processes should be restored (shortest allowable outage restored first).
c) Different recovery time objectives according to time of year (year-end, tax filing, etc.).
d) Identifying and documenting alternate procedures for strategic alliance, mutual aid, manual
workaround, notification/alert, etc.
e) Evaluation of costs of alternate procedures versus waiting for system to be restored.
When developing information relating to its significant risks and impacts, the organization should
consider the need to retain the information for historical purposes, as well as how to use it in designing
and implementing its OR management system.
The process of identification and evaluation of risks and impacts should take into account the location
of activities, cost and time of undertaking the analysis, and the availability of reliable data. Information
already developed for business planning, regulatory, or other purposes may be used in this process.
This process of identifying and evaluating risks and impacts is not intended to change or increase an
organization’s legal obligations.
Examples of other requirements to which the organization may subscribe include, if applicable:
a) Agreements with public authorities;
b) Agreements with customers;
c) Non-regulatory guidelines (e.g., Incident Command System/Unified Command);
d) Voluntary principles or codes of practice;
e) Voluntary labeling or product stewardship commitments;
24
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
The determination of how legal and other requirements apply to an organization’s risk assessment is
usually accomplished in the process of identifying these requirements. Therefore, it may not be
necessary to have a separate or additional procedure in order to make this determination.
25
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
a) Emergency response: The initial response to a disruptive incident usually involves the protection
of people and property from immediate harm. An initial reaction by management may form
part of the organization’s first response.
b) Continuity: Processes, controls, and resources are made available to ensure that the organization
continues to meet its critical operational objectives.
c) Recovery: Processes, resources, and capabilities of the organization are re-established to meet
ongoing operational requirements. This will often include the introduction of significant
organizational improvements even to the extent of refocusing strategic or operational
objectives).
Roles, responsibilities, and authorities should also be defined, documented and communicated for
coordination with external stakeholders. This should include interactions with contractors, partners,
organizations within the supply chain, public authorities, and financial institutions.
Awareness and education programs should be established for internal and external stakeholders
potentially impacted by a disruptive incident.
Awareness, knowledge, understanding, and competence may be obtained or improved through
training, education, or work experience.
The organization should require that contractors working on its behalf are able to demonstrate that
their employees have the requisite competence and/or appropriate training.
Management should determine the level of experience, competence, and training necessary to ensure
the capability of personnel, especially those carrying out specialized OR management functions.
All personnel should be trained to perform their individual responsibilities in case of a disruptive
incident or crisis. They should also be briefed on the key components of the OR management system,
as well as the response plans that affect them directly. Such training could include procedures for
mitigation measures, evacuation, shelter-in-place, check-in processes to account for employees,
arrangements at alternate worksites, and the handling of media inquiries by the company.
The Crisis Management and Response Teams should be educated about their responsibilities and
duties including interactions with first responders and stakeholders. Checklists of critical actions and
information to be gathered are valuable tools in the education and response processes. Teams should
be trained regular intervals (at least annually), and new members should be trained when they join.
These teams should also be trained with respect to prevention of incidents that may escalate into crises.
It is recommended that any external resources that may be involved in a response – such as Fire, Police,
Public Health, and third-party vendors – should be familiar with relevant parts of the response plans.
27
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
28
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
A.4.4 Documentation
The level of detail of the documentation should be sufficient to describe the OR management system
and how its parts work together, and provide direction on where to obtain more detailed information
on the operation of specific parts of the OR management system. This documentation may be
integrated with documentation of other systems implemented by the organization. It does not have to
be in the form of a manual.
The extent of the OR management system documentation can differ from one organization to another
due to:
a) The size and type of organization and its activities, products or services;
b) The complexity of processes and their interactions; and
c) The competence of personnel.
Any decision to document (a) procedure(s) should be based on issues such as:
a) The consequences, including those to human and physical assets and the environment, of not
doing so.
b) The need to demonstrate compliance with legal and with other requirements to which the
organization subscribes.
c) The need to ensure that the activity is undertaken consistently.
d) The advantages of doing so, which can include:
i. Easier implementation through communication and training.
ii. Easier maintenance and revision.
iii. Less risk of ambiguity and deviations.
iv. Demonstrability and visibility.
e) The requirements of this Standard.
Documents originally created for purposes other than the OR management system may be used as part
of this system, and (if so used) will need to be referenced in the system.
29
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
30
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
b) Prevention can include proactive steps to coordinate with intelligence, law enforcement, and
public agencies; establish information sharing agreements; physical protection of key assets;
access controls; awareness and readiness training programs; warning and alarm systems; and
practices to reduce the threat.
c) Organizational culture, operational plans, and management objectives should motivate
individuals to feel personally responsible for prevention, avoidance, deterrence, and detection.
d) Deterrence and detection can make a disruptive act or activity more difficult to carry out against
the organization or significantly limit, if not negate, its impact. Consideration of prevention,
detection, and deterrence strategies may be:
i. Architectural: Natural or manmade barriers; redesigned or relocated infrastructure.
ii. Operational: Removal of hazardous materials; redesigned systems and operations;
security officers’ post orders; employee awareness programs; counter surveillance and
counter intelligence as avoidance; relocation of systems, operations, infrastructure, and
personnel.
iii. Technological: Alternative materials and processes, interoperable communication and
information networks, intrusion detection, access control, recorded surveillance,
package and baggage screening, and system controls.
e) Physical security planning includes protection of perimeter grounds, building perimeter,
internal space protection, and protection of contents. Defense begins at the external perimeter.
i. Physical security planning is a function of detection, delay, and response.
ii. Physical security measures should be designed so detection is as far from the target as
possible. Delays are planned closer to the target.
iii. Security system design should link exterior or interior detection with assessment and
response.
iv. Physical security measures may include crime prevention through environmental design;
physical barriers and site hardening; physical entry and access controls; security
lighting; intrusion detection systems and alarms; closed-circuit televisions; security
personnel; and security policies and procedures.
f) Cost-effective mitigation strategies should be employed to prevent or lessen the impact of
potential crises.
i. The mitigation strategy should consider immediate, interim, and long-term actions.
ii. The various resources that would contribute to the mitigation process should be
identified. These resources – including essential personnel and their roles and
responsibilities, facilities, technology, and equipment – should be documented in the
plan and become part of “business as usual.”
iii. Systems and resources should be monitored continually as part of mitigation strategies.
Such monitoring can be likened to simple inventory management.
iv. The resources that will support the organization to mitigate the crisis should also be
monitored continually to ensure that they will be available and able to perform as
planned during the crisis. Examples of such systems and resources include, but are not
limited to: emergency equipment, fire alarms and suppression systems, local resources
31
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
and vendors, alternate worksites, maps and floor plans, system backup, and offsite
storage.
g) The organization should establish procedures to recognize when specific dangers occur that
necessitate the need for some level of response. A strong program of detection and avoidance
policies and procedures will support this process.
i. Certain departments or functions are uniquely situated to observe warning signs of an
imminent crisis. Personnel assigned to these departments or functions should be trained
appropriately. The responsibility to report a potential crisis (including the notification
mechanism) should be communicated to all employees. The general employee
population may also be an excellent source of predictive information when there is a
documented reporting structure and where attention is paid to what the employee
reports.
h) A potential disruptive incident, once recognized, should be immediately reported to a
supervisor, a member of management, or another individual tasked with the responsibility of
crisis notification and management.
i. Specific notification criteria should be established, documented, and adhered to by all
employees (with the timing and sequence of notification calls clearly documented). The
actual activation of a response process should require very specific qualifications being
met.
ii. Qualified personnel should have ready access to the updated, confidential listings of
persons and organizations to be contacted when certain conditions or parameters of a
potential crisis are met.
iii. Notifications in a crisis situation should be timely and clear, and should use a variety of
procedures and technologies – with recognition that devices used have advantages and
limitations.
iv. In some types of crises, the notification systems are themselves impacted by the disaster,
either through capacity issues or infrastructure damage. Thus, it is important to have
redundancies built into the notification system, and several different ways to contact the
listed individuals and organizations.
i) Problem assessment (an evaluative process of decision making that will determine the nature of
the issue to be addressed) and severity assessment (the process of determining the severity of the
crisis and what any associated costs may be in the long run) should be made at the outset of a
crisis. Factors to be considered include the size of the problem, its potential for escalation, and
the possible impact of the situation.
j) The point at which a situation is declared to be an emergency or crisis should be clearly defined,
documented, and fit very specific and controlled parameters. Responsibility for declaring a
crisis should also be clearly defined and assigned. First and second alternates to the responsible
individual should be identified. The activities that declaring a emergency or crisis will trigger
include, but are not limited to:
i. Additional call notification;
ii. Evacuation, shelter, or relocation;
iii. Safety protocol;
32
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
33
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
ii. Where a dedicated center is not possible, a designated place where the teams may direct
and oversee crisis management activities should be guaranteed. Access control
measures should be implemented, with the members of all teams given 24x7 access.
iii. A secondary Crisis Management Center should also be identified in the event that the
primary center is impacted by the crisis event.
iv. The organization should consider the establishment of virtual command centers for
distributed access to information as well as to reach dispersed or remote stakeholders.
v. The organization should have alternate worksites identified for business resumption
and recovery. In the absence of other company facilities being available and/or suitable,
access to alternate worksites can be arranged through appropriate vendors. Planning
concerning the identification and availability of alternate worksites should take place
early in the preparedness and response plan process. Alternate worksites should
provide adequate access to the resources required for business resumption identified in
the impact analysis.
vi. Offsite storage is a valuable mitigation strategy allowing rapid crisis response and
business resumption/recovery. The off-site storage location should be a sufficient
distance from the primary facility so that it is not likely to be similarly affected by the
same event. Items to be considered for off-site storage include critical and vital records
(paper and other media) critical to the operations of the business. Procedures should be
included in the plan to ensure the timely delivery of any necessary items from offsite
storage to the Crisis Management Center or the alternate worksites.
n) Once the Crisis Management Team has been activated, the damage should be assessed. The
damage assessment may be performed by the Crisis Management Team itself or a designated
Damage Assessment Team. Responsibility should be assigned for the documentation of all
incident related facts and response actions, including financial expenditures.
i. For situations involving physical damage to company property, the Crisis Management
Team or its designated Damage Assessment Team should be mobilized to the site. The
team will gain entry if permission from the public safety authorities is granted, and
make a preliminary assessment of the extent of damage and the likely length of time that
the facility will be unusable.
ii. Certain types of crises do not involve immediate physical damage to a company
worksite or facility. These would include the business, human, information technology,
and societal types of crises. In these crises, the team will likely assess the damage or
impact as the crisis unfolds.
o) If appropriate, existing funding and insurance policies should be examined, and additional
funding and insurance coverage should be identified and obtained.
i. Policy parameters should be established in advance, including pre-approval by the
insurance provider of any response related vendors. Where possible, the amount of
funds to help ensure continuity of operations should be determined in the planning
process.
ii. Any cash should be stored in an easily accessible location to assure its availability
during a crisis, and some cash and credit should be available for weekend and after-
hours requirements.
34
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
iii. All crisis related expenses should be recorded throughout the response and recovery
periods.
iv. Insurance providers should be contacted as early as possible in the crisis period,
particularly in instances of a wide-reaching crisis, where competition for such resources
could be vigorous. All insurance policy and contact information should be readily
available to the Crisis Management Team and backed up or stored offsite as appropriate.
p) Transportation in a time of crisis can be a challenge. Provisions should be arranged ahead of
time, if possible. Areas where transportation is critical include, but are not limited to:
i. Evacuation of personnel (this may be from a demolished work-site or from a satellite
facility in another region or country);
ii. Transportation to an alternate worksite;
iii. Supplies into the site or to an alternate site;
iv. Transportation of critical data to worksite; and
v. Transportation for staff with special needs.
q) Critical vendor or service provider agreements should be established as appropriate and their
contact information maintained as part of the preparedness and response plan. Such
information could include phone numbers, contact names, account numbers, pass-codes
(appropriately protected), and other information in the event that someone unfamiliar with the
process would need to make contact.
i. In some instances, it may be appropriate to request and review the preparedness and
response plan, or a summary of such, of the critical vendors, in order to evaluate their
ability to continue to provide necessary supplies and services in the case of a far-
reaching crisis. At a minimum, the vendor or service provider roles and service level
agreements should be discussed in advance of the crisis.
r) Mutual aid agreements identify resources that may be shared with or borrowed from other
organizations during a crisis, as well as mutual support that may be shared with other
organizations. Such agreements should be legally sound and properly documented, clearly
understood by all parties involved, and representative of dependable resources as well as a
commitment to cooperation.
s) Strategic alliances identify delivery partners with which it has an interdependent relationship
with other organizations to produce and supply products and services and share risk.
t) Once the extent of damage is known, the process recovery needs should be prioritized and a
schedule for resumption determined and documented. The prioritization should take into
account the fundamental criticality of the process and other factors, including relationships to
other processes, critical schedules, and regulatory requirements, as identified in the impact
analysis. Decisions regarding prioritization of processes should be documented and recorded,
including the date, time, and justification for the decisions.
u) Once the processes to be restored have been prioritized, the resumption work can begin with
processes restored according to the prioritization schedule. The resumption of these processes
may occur at either the current worksite or an alternate worksite, depending on the
circumstances of the crisis. Documentation should be kept of when the processes were
resumed.
35
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
v) Once the critical processes have been resumed, the resumption of the remaining processes can
be addressed. Where possible, decisions about the prioritization of these processes should be
thoroughly documented in advance, as should the timing of actual resumption.
w) The organization should seek to bring the organization “back to normal.” If it is not possible to
return to the pre-crisis “normal,” a “new normal” should be established. This “new normal”
creates the expectation that, while there may be changes and restructuring in the workplace, the
organization will phase back into productive work. Each step of the process and all decisions
should be carefully documented.
i. As a rule, it is at this point that the crisis may be officially declared “over.” It is
important to document this decision. Press conferences and mass media
communications may be undertaken to bolster employee and client confidence.
A.5 Checking
A.5.1 Monitoring and Measurement
Data collected from monitoring and measurement can be analyzed to identify patterns and obtain
information. Knowledge gained from this information can be used to implement corrective and
preventive action. Metrics should be established to measure success of the OR management system.
Key characteristics are those that the organization needs to consider to determine how it is managing
its significant risks and impacts, achieving objectives and targets, and improving security,
preparedness, response, continuity, and recovery performance.
When necessary to ensure valid results, measuring equipment should be calibrated or verified at
specified intervals, or prior to use, against measurement standards traceable to international or national
measurement standards. Where no such standards exist, the basis used for calibration should be
recorded.
36
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
The first step in testing should be the setting of goals and expectations. A critical goal is to determine
whether a certain crisis response process works and how it can be improved. Other examples of goals
include:
a) Capacity testing (e.g., the capacity of a call-in or call-out phone system);
b) Reduce the time necessary for accomplishment of a process (e.g., using repeated drills to
shorten response times); and
c) Bring awareness and knowledge to the general employee population about the OR
management system.
Lessons learned from previous tests, as well as actual incidents experienced, should be built into the
testing cycle for the OR management system.
The responsibility for testing the OR management system should be assigned. Larger organizations
may consider establishing a Test Team. Where appropriate, the expertise of external resources
(consultants, local emergency organizations, etc.) can be leveraged.
A test schedule and timeline as to how often the plan and its components will be tested should be
established.
The scope of testing should be planned to develop over time. Tests should start out relatively simple,
becoming increasingly complex as the test process evolves. Early tests may include checklists, simple
exercises, and small components of the OR management system. As the test schedules evolve, tests
should become increasingly complex, up to a full-scale activation of the entire OR management system,
including external participation by public safety and emergency responders.
There are several roles that test participants can fill. All participants should understand their roles in
the exercise, and the exercise should involve all participants. Various groups from the organization
itself, as well as from the public sector, can participate in the tests. As part of the exercise, participants
should be allowed to interact and discuss issues and lessons.
After completion, the exercises and tests should be critically evaluated. The evaluation should include,
among other things, an assessment of how well the goals and objectives of the test were achieved, the
effectiveness of participation, and whether the OR management system itself will function as
anticipated in the case of a real crisis. Future testing, as well as the OR management system itself,
should then be modified as necessary based on the test results.
Design of tests should be evaluated and modified as necessary. They should be dynamic, taking into
account changes to the OR management system, personnel turnover, actual incidents, and results from
previous exercises.
Exercise and test results should be documented.
NOTE: Records are not the sole source of evidence to demonstrate conformity to this Standard.
NOTE: If an organization wishes to combine audits of its OR management system with security, safety, or
environmental audits, the intent and scope of each should be clearly defined.
38
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
Continual improvement and OR management system maintenance should reflect changes in the risks,
activities, functions, and operation of the organization that will affect the OR management system. The
following are examples of procedures, systems, or processes that may affect the plan:
a) Policy changes;
b) Hazards and threat changes;
c) Changes to the organization and its business processes;
d) Changes in assumptions in risk assessment and impact analysis;
e) Personnel changes (employees and contractors);
f) Supplier and supply chain changes;
g) Process and technology changes;
h) Systems and application software changes;
i) Critical lessons learned from testing;
j) Issues discovered during actual implementation of the plan in a crisis;
39
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
k) Changes to external environment (new businesses in area, new roads or changes to existing
traffic patterns, etc.); and
l) Other items noted during review of the plan and identified during the risk assessment and
impact analysis.
40
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
Annex B
(informative)
Reduction, removal, and management of an organization’s hazardous materials will provide proactive
benefits from both the environmental and security perspectives by providing protection from and
response to risks of unintentionally, intentionally, and naturally-caused events.
41
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
3 Terms and definitions 3 Terms and definitions 3 Terms and definitions 3 Terms and definitions
42
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
Organizational Resilience
ISO 9001:2000 ISO 14001:2004 ISO 27001:2005
Management System Standard
4.4 Implementation and operation 6 Resource management 4.4 Implementation and 5.2 Resource management
4.4.1 Resources, roles, 6.1 Provision of resources operation 5.2.1 Provision of resources
responsibility and authority 6.2 Human resources 4.4.1 Resources, roles, 5.2.2 Training, awareness and
4.4.2 Competence, training and 6.2.2 Competence, responsibility and authority competence
awareness awareness and training 4.4.2 Competence, 4.3 Documentation
4.4.3 Communication and warning 6.3 Infrastructure training, and awareness requirements
4.4.4 Documentation 6.4 Work environment 4.4.3 Communication and 4.3.1 General
4.4.5 Control of documents 7.2.3 Customer warning 4.3.2 Control of documents
4.4.6 Operational control communication 4.4.4 Documentation
4.4.7 Incident preparedness and 4.2 Documentation 4.4.5 Control of documents
response requirements 4.4.6 Operational control
4.2.1 General 4.4.7 Emergency
4.2.2 Quality manual preparedness and
4.2.3 Control of documents response
7.3 Design and
development
7.4 Purchasing
7.5 Product and service
provision
4.5 Checking 7.6 Control of monitoring 4.5 Checking 4.2.3 Monitor and review the
4.5.1 Monitoring and measuring and measuring devices 4.5.1 Monitoring and ISMS
4.5.2 Evaluation of compliance and 8.2.3 Monitoring and measurement 8.2 Corrective action
system performance measurement of processes 4.5.2 Evaluation of 8.3 Preventive action
4.5.2.1 Evaluation of compliance 8.2.4 Monitoring and compliance 4.3.3 Control of records
4.5.2.2 Exercises and testing measurement of product 4.5.3 Nonconformity, 6 Internal ISMS audits
4.5.3 Nonconformity, corrective 8.3 Control of corrective action and
action and preventive action nonconforming product preventive action
4.5.4 Control of records 8.5.3 Corrective actions 4.5.4 Control of records
4.5.5 Internal audits 8.5.3 Preventive actions 4.5.5 Internal audits
4.2.4 Control of records
8.2.2 Internal Audit
8.4 Analysis of data
4.6 Management review 5.6 Management review 4.6 Management review 7 Management review of the
4.6.2 General 5.6.1 General ISMS
4.6.2 Review of Input 5.6.2 Review input 7.1 General
4.6.3 Review of output 5.6.3 Review output 7.2 Review input
4.6.4 Maintenance 8.5 Improvement 7.3 Review output
4.6.5 Continual improvement 8.5.1 Continual 4.2.4 Maintain and improve
improvement
8 ISMS improvement
8.1 Continual improvement he
ISMS
Annex A Control objectives and Annex A Annex A Guidance on the Annex A Control objectives
controls Correspondence between use of this International and controls
Annex B Correspondence ISO 9001:2000 and ISO Standard Annex B OECD principles and
between ISO 9001:2000, ISO 14001:1996 Annex B this International Standard
14001:2004, ISO 27001:2005 and Correspondence between Annex C Correspondence
this Standard of Best Practices ISO 14001:2004 and ISO between ISO 9001:2000, ISO
9001:2000 14001:2004 and this
International Standard
43
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
Annex C
(informative)
C TERMINOLOGY CONVENTIONS
The terminology conventions in Table 2 are in accordance with ISO/IEC – Directives Part 2: Rules for the
structure and drafting on International Standards, Annex H, Verbal forms for the expression of provisions, 2004.
Verbal form Usage (ISO/IEC – Directives Part 2: Rules for the structure and
drafting on International Standards)
shall Auditable requirements of a document – “used to indicate
requirements strictly to be followed in order to conform to the
document and from which no deviation is permitted.”
should Recommendations – “used to indicate that among several possibilities
one is recommended as particularly suitable, without mentioning or
excluding others, or that a certain course of action is preferred but not
necessarily required, or that (in the negative form) a certain possibility
or course of action is deprecated but not prohibited.”
may Permission – “used to indicate a course of action permissible within
the limits of the document.”
can Possibility and capability – “used for statements of possibility and
capability, whether material, physical or causal.”
Items presented in lists shall not be construed to be exhaustive, unless otherwise stated. Nor shall the
order of the list be viewed as specifying a sequence or priority, unless so stated. The generic nature of
this Standard allows for organization to include additional items as well as designation of a sequence or
priority based on the specific operating conditions and circumstances of the organization.
44
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
Annex D
(normative)
D GLOSSARY
For the purposes of this document, the terms and definitions given in ISO/IEC Guide 73 and the
following definitions apply.
D.1 acceptable downtime: Maximum elapsed time between a disruption and restoration of needed
operational capacity or capability.
D.2 alternate worksite: A work location, other than the primary location, to be used when the
primary location is not accessible. [ASIS International Business Continuity Guideline: 2005]
D.3 asset: Anything that has value to the organization. [ISO/IEC 13335-1:2004]
D.4 auditor: Person with competence to conduct an audit. [ISO 9001:2000]
D.5 continual improvement: Recurring process of enhancing the organizational resilience (OR)
management system in order to achieve improvements in overall OR management performance
consistent with the organization’s OR management policy.
NOTE: The process need not take place in all areas of activity simultaneously.
D.6 corrective action: Action to eliminate the cause of a detected nonconformity. [ISO 14001:2004]
D.7 critical activity: Any function or process that is essential for the organization to deliver its
products and/or services. [ISO/PAS 22399:2007]
D.8 criticality assessment: A process designed to systematically identify and evaluate an
organization’s assets based on the importance of its mission or function, the group of people at risk, or
the significance of a disruption on the continuity of the organization.
D.9 conformity: Fulfillment of a requirement.
D.10 consequence: Outcome of an event. [ISO/IEC Guide 73]
NOTE 1: There can be more than one consequence from one event.
NOTE 2: Consequences can range from positive to negative.
NOTE 3: Consequences can be expressed qualitatively or quantitatively.
D.11 continuity: Strategic and tactical capability, pre-approved by management, of an organization to
plan for and respond to conditions, situations, and events in order to continue operations at an
acceptable predefined level.
NOTE: Continuity, as used in this Standard, is the more general term for operational and business continuity to
ensure an organization’s ability to continue operating outside of normal operating conditions. It applies not only to for-
profit companies, but organizations of all natures, such as non-governmental, public interest, and governmental
organizations.
D.12 continuity strategy: Approach by an organization intended to ensure continuity and ability to
recover in the face of a disruptive event, emergency, crisis, or other major outage.
D.13 crisis: An unstable condition involving an impending abrupt or significant change that requires
urgent attention and action to protect life, assets, property, or the environment.
D.14 crisis management: Holistic management process that identifies potential impacts that threaten
an organization and provides a framework for building resilience, with the capability for an effective
45
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
response that safeguards the interests of its key stakeholders, reputation, brand, and value-creating
activities – as well as effectively restoring operational capabilities.
NOTE: Crisis management also involves the management of preparedness, mitigation response, and continuity or
recovery in the event of an incident – as well as management of the overall program through training, rehearsals, and
reviews to ensure the preparedness, response, and continuity plans stays current and up-to-date.
D.15 crisis management team: Group of individuals functionally responsible for directing the
development and execution of the response and operational continuity plan, declaring an operational
disruption or emergency/crisis situation, and providing direction during the recovery process, both
pre-and post-disruptive incident.
NOTE: The crisis management team may include individuals from the organization as well as immediate and first
responders, stakeholders, and other interested parties.
D.16 criticality: Of essential importance with respect to objectives and/or outcomes.
D.17 damaging potential: Harmful potential of an event, whether anticipated or unanticipated, that
would impact on the ability of the organization to function effectively, cause critical harm to
infrastructure, result in significant human or property losses to the organization or its stakeholders, or
cause adverse effects to the reputation or integrity of the organization.
D.18 disaster: Event that causes great damage or loss. [ISO/PAS 22399:2007]
D.19 disruption: An event that interrupts normal business, functions, operations, or processes,
whether anticipated (e.g., hurricane, political unrest) or unanticipated (e.g., a blackout, terror attack,
technology failure, or earthquake).
NOTE: A disruption can be caused by either positive or negative factors that will disrupt normal functions, operations,
or processes.
D.20 document: Information and supporting medium. [ISO 9000:2000]
NOTE: The medium can be paper, magnetic, electronic or optical computer disc, photography or master sample, or a
combination thereof.
D.21 emergency: Sudden, urgent, usually unexpected occurrence or event requiring immediate action.
[ISO/PAS 22399:2007]
NOTE: An emergency is usually a disruptive event or condition that can often be anticipated or prepared for, but
seldom exactly foreseen.
D.22 exercises: Evaluating OR management programs, rehearsing the roles of team members and
staff, and testing the recovery or continuity of an organization’s systems (e.g., technology, telephony,
administration) to demonstrate OR management competence and capability.
NOTE 1: Exercises include activities performed for the purpose of training and conditioning team members and
personnel in appropriate responses with the goal of achieving maximum performance.
NOTE 2: An exercise can involve invoking response and operational continuity procedures, but is more likely to
involve the simulation of an response and/or operational continuity incident, announced or unannounced, in which
participants role-play in order to assess what issues might arise, prior to a real invocation.
D.23 evacuation: Organized, phased, and supervised dispersal of people from dangerous or
potentially dangerous areas. [ASIS International Business Continuity Guideline: 2005]
D.24 event: Occurrence or change of a particular set of circumstances. [ISO/IEC Guide 73]
NOTE 1: Nature, likelihood, and consequence of an event can not be fully knowable.
NOTE 2: An event can be one or more occurrences, and can have several causes.
NOTE 3: Likelihood associated with the event can be determined.
NOTE 4: An event can consist of a non occurrence of one or more circumstances.
NOTE 5: An event with a consequence is sometimes referred to as “incident”.
D.25 facility (infrastructure): Plant, machinery, equipment, property, buildings, vehicles, information
systems, transportation facilities, and other items of infrastructure or plant and related systems that
have a distinct and quantifiable function or service.
46
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
D.26 hazard: Possible source of danger, or conditions (physical or operational) that have a capacity to
produce a particular type of adverse effects. [ISO/PAS 22399:2007]
D.27 impact: Evaluated consequence of a particular outcome. [ISO/PAS 22399:2007]
D.28 impact analysis: Process of analyzing all operational functions and the effect that an operational
interruption might have upon them.
NOTE: Impact analysis includes Business Impact Analysis – the identification of critical business assets, functions,
processes, and resources as well as an evaluation of the potential damage or loss that may be caused to the
organization resulting from a disruption (or a change in the business or operating environment). Impact analysis
identifies: 1) how the loss or damage will manifest itself; 2) how that degree for potential escalation of damage or loss
with time following an Incident; 3) the minimum services and resources (human, physical, and financial) needed to
enable business processes to continue to operate at a minimum acceptable level; and 4) the timeframe and extent
within which activities, functions, and services of the organization should be recovered.
D.29 incident: Event that has the capacity to lead to human, intangible or physical loss, or a
disruption of an organization’s operations, services, or functions – which, if not managed, can escalate
into an emergency, crisis, or disaster.
D.30 integrity: The property of safeguarding the accuracy and completeness of assets. [ISO/IEC 13335-
1:2004]
D.31 internal audit: Systematic, independent, and documented process for obtaining audit evidence
and evaluating it objectively to determine the extent to which the management system audit criteria set
by the organization are fulfilled.
NOTE: In many cases, particularly in smaller organizations, independence can be demonstrated by the freedom from
responsibility for the activity being audited.
D.32 management plan: Clearly defined and documented plan of action, typically covering the key
personnel, resources, services, and actions needed to implement the incident management process.
D.33 mitigation: Limitation of any negative consequence of a particular incident. [ISO/PAS
22399:2007]
D.34 mutual aid agreement: Pre-arranged agreement developed between two or more entities to
render assistance to the parties of the agreement. [ISO/PAS 22399:2007]
D.35 nonconformity: Non-fulfillment of a requirement. [ISO 9000:2000]
D.36 objective: Overall goal, consistent with the policy that an organization sets itself to achieve. [ISO
14001:2004]
D.37 organization: Group of people and facilities with an arrangement of responsibilities, authorities,
and relationships. [ISO/PAS 22399:2007]
NOTE: An organization can be a government or public entity, company, corporation, firm, enterprise, institution,
charity, sole trade or association, or parts or combinations thereof.
D.38 organizational resilience (OR) management: Systematic and coordinated activities and practices
through which an organization manages its operational risks, and the associated potential threats and
impacts therein.
D.39 organizational resilience (OR) management program: Ongoing management and governance
process supported by top management; resourced to ensure that the necessary steps are taken to
identify the impact of potential losses; maintain viable recovery strategies and plans; and ensure
continuity of functions/products/services through exercising, rehearsal, testing, training, maintenance,
and assurance.
D.40 policy: Overall intentions and direction of an organization, as formally expressed by top
management.
47
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
D.41 preparedness (readiness): Activities, programs, and systems developed and implemented prior
to an incident that may be used to support and enhance mitigation of, response to, and recovery from
disruptions, disasters, or emergencies.
D.42 prevention: Measures that enable an organization to avoid, preclude, or limit the impact of a
disruption. [ISO/PAS 22399:2007]
D.43 preventive action: Action to eliminate the cause of a potential nonconformity. [ISO 14001:2004]
D.44 prevention of hazards and threats: Process, practices, techniques, materials, products, services,
or resources used to avoid, reduce, or control hazards and threats and their associated risks of any type
in order to reduce their potential impact.
D.45 probability: Extent to which an event is likely to occur. [ISO/IEC Guide 73]
NOTE 1: ISO 3534-1:1993, Definition 1.1, gives the mathematical definition of probability as “a real number in the
scale of 0 to 1 attached to a random event. It can be related to a long-run relative frequency of occurrence or to a
degree of belief that an event will occur. For a high degree of belief, the probability is near 1.”
NOTE 2: Frequency rather than probability may be used to describe risk.
NOTE 3: Degrees of belief about probability can be chosen as classes or ranks, such as:
- rare/unlikely/moderate/likely/almost certain; or
- incredible/improbable/remote/occasional/probable/frequent.
D.46 procedure: Specified way to carry out an activity. [ISO 9000:2000]
NOTE: Procedures can be documented or not.
D.47 record: Document stating results achieved or providing evidence of activities performed. [ISO
9000:2000]
D.48 recovery time objective (RTO): Time goal for the restoration and recovery of functions or
resources based on the acceptable down time and acceptable level of performance in case of a
disruption of operations.
D.49 residual risk : Risk remaining after risk treatment. [ISO/PAS 22399:2007]
D.50 resilience: The adaptive capacity of an organization in a complex and changing environment.
NOTE 1: Resilience is the ability of an organization to resist being affected by an event or the ability to return to an
acceptable level of performance in an acceptable period of time after being affected by an event.
NOTE 2: Resilience is the capability of a system to maintain its functions and structure in the face of internal and
external change and to degrade gracefully when it must.
D.51 resources: Any asset (human, physical, information or intangible), facilities, equipment,
materials, products or waste that has potential value and can be used.
D.52 response plan: Documented collection of procedures and information that is developed,
compiled, and maintained in readiness for use in an incident.
D.53 response program: Plan, processes, and resources to perform the activities and services
necessary to preserve and protect life, property, operations, and critical assets. [ISO/PAS 22399:2007]
NOTE: Response steps generally include incident recognition, notification, assessment, declaration, plan execution,
communications, and resources management
D.54 response team: Group of individuals responsible for developing, executing, rehearsing, and
maintaining the response plan, including the processes and procedures.
D.55 risk: Effect of uncertainty on objectives. [ISO/IEC Guide 73]
NOTE 1: An effect is a deviation from the expected – positive and/or negative.
NOTE 2: Objectives can have different aspects such as financial, health and safety, and environmental goals and can
apply at different levels such as strategic, organization-wide, project, product, and process.
NOTE 3: Risk is often characterized by reference to potential events, consequences, or a combination of these and
how they can affect the achievement of objectives.
48
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
NOTE 4: Risk is often expressed in terms of a combination of the consequences of an event or a change in
circumstances, and the associated likelihood of occurrence.
D.56 risk acceptance: Informed decision to take a particular risk. [ISO/IEC Guide 73]
NOTE 1: Risk acceptance can occur without risk treatment or during the process of risk treatment.
NOTE 2: Risk acceptance can also be a process.
NOTE 3: Risks accepted are subject to monitoring and review.
D.57 risk analysis: Process to comprehend the nature of risk and to determine the level of risk.
[ISO/IEC Guide 73]
NOTE: Risk analysis provides the basis for risk evaluation and decisions about risk treatment.
D.58 risk assessment: Overall process of risk identification, risk analysis, and risk evaluation.
NOTE: Risk assessment involves the process of identifying internal and external threats and vulnerabilities,
identifying the probability and impact of an event arising from such threats or vulnerabilities, defining critical functions
necessary to continue the organization’s operations, defining the controls in place necessary to reduce exposure, and
evaluating the cost of such controls.
D.59 risk communication: Exchange or sharing of information about risk between the decision-maker
and other stakeholders. [ISO/IEC Guide 73]
NOTE: The information can relate to the existence, nature, form, probability, severity, acceptability, treatment, or
other aspects of risk.
D.60 risk criteria: Terms of reference by which the significance of risk is assessed. [ISO/IEC Guide 73]
NOTE: Risk criteria can include associated cost and benefits, legal and statutory requirements, socio-economic and
environmental aspects, the concerns of stakeholders, priorities, and other inputs to the assessment.
D.61 risk management: Coordinated activities to direct and control an organization with regard to
risk. [ISO/IEC Guide 73]
NOTE: Risk management generally includes risk assessment, risk treatment, risk acceptance, and risk
communication.
D.62 risk reduction: Actions taken to lessen the probability, negative consequences, or both,
associated with a risk. [ISO/IEC Guide 73]
D.63 risk tolerance: Organization’s readiness to bear the risk after risk treatments in order to achieve
its objectives. [ISO/IEC Guide 73]
NOTE Risk tolerance can be limited by legal or regulatory requirements.
D.64 risk transfer: Sharing with another party the burden of loss or benefit or gain, for a risk.
[ISO/IEC Guide 73]
NOTE 1: Legal or statutory requirements can limit, prohibit ,or mandate the transfer of certain risk.
NOTE 2: Risk transfer can be carried out through insurance or other agreements.
NOTE 3: Risk transfer can create new risks or modify existing risks.
NOTE 4: Relocation of the source is not risk transfer.
D.65 risk treatment: Process of selection and implementation of measures to modify risk. [ISO/IEC
Guide 73]
NOTE 1: The term “risk treatment” is sometimes used for the measures themselves.
NOTE 2: Risk treatment measures can include avoiding, optimizing, transferring, or retaining risk.
D.66 security: The condition of being protected against hazards, threats, risks, or loss.
NOTE 1: In the general sense, security is a concept similar to safety. The distinction between the two is an added
emphasis on being protected from dangers that originate from outside.
NOTE 2: The term "security" means that something not only is secure but that it has been secured.
D.67 security aspects: Those characteristics, elements, or properties which reduce the risk of
unintentionally, intentionally, and naturally-caused crises and disasters that disrupt and have
consequences on the products and services, operation, critical assets, and continuity of the organization
and its stakeholders.
49
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
D.68 simulation exercise: Test performed under conditions as close as practicable to real world
conditions. [ISO/PAS 22399:2007]
D.69 source: Anything which alone or in combination has the intrinsic potential to give rise to risk.
[ISO/IEC Guide 73]
NOTE: A risk source can be tangible or intangible.
D.70 stakeholder (interested party): Person or group having an interest in the performance or success
of an organization. [ISO/PAS 22399:2007]
NOTE: The term includes persons and groups with an interest in an organization, its activities and its achievements –
e.g., customers, clients, partners, employees, shareholders, owners, vendors, the local community, first responders,
government agencies, and regulators.
D.71 supply chain: The linked set of resources and processes that begins with the acquisition of raw
material and extends through the delivery of products or services to the end user across the modes of
transport. The supply chain may include suppliers, vendors, manufacturing facilities, logistics
providers, internal distribution centers, distributors, wholesalers, and other entities that lead to the end
user.
D.72 target: Detailed performance requirement applicable to the organization (or parts thereof) that
arises from the objectives and that needs to be set and met in order to achieve those objectives. [ISO
14001:2004]
D.73 testing: Activities performed to evaluate the effectiveness or capabilities of a plan relative to
specified objectives or measurement criteria. Testing usually involves exercises designed to keep teams
and employees effective in their duties, and to reveal weaknesses in the preparedness and
response/continuity/recovery plans. [ASIS International Business Continuity Guideline: 2005]
D.74 threat: Potential cause of an unwanted incident, which may result in harm to individuals, assets,
a system or organization, the environment, or the community.
D.75 top management: Directors, managers, and officers of an organization that can ensure effective
management systems – including financial monitoring and control systems – have been put in place to
protect assets, earning capacity, and the reputation of the organization.
D.76 vulnerability: Intrinsic properties of something that create susceptibility to a source of risk
(D.53) that can lead to a consequence. [ISO/IEC Guide 73]
D.77 vulnerability assessment: The process of identifying and quantifying vulnerabilities.
50
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
Annex E
(informative)
E QUALIFICATIONS
The adoption and implementation of a range of security, preparedness, and continuity management
techniques in a systematic manner can contribute to optimal outcomes for all stakeholders and affected
parties. However, adoption of this Standard will not by itself guarantee optimal security, preparedness,
continuity, and response outcomes. In order to achieve its objectives, the OR management system
should incorporate the best available practices, techniques, and technologies, where appropriate and
where economically viable. The cost-effectiveness of such practices, techniques, and technologies
should be taken fully into account.
This Standard does not establish absolute requirements for security, preparedness, response, continuity,
or recovery performance beyond commitments in the organization’s policy to:
a) Comply with applicable legal requirements and with other requirements to which the
organization subscribes;
b) Support critical risk prevention and minimization; and
c) Promote continual improvement.
The main body of this Standard contains only those generic criteria that may be objectively audited.
Guidance on supporting OR management techniques is contained in the other annexes of this
document.
This Standard, like other management standards, is not intended to be used to create non-tariff trade
barriers or to increase or change an organization’s legal obligations. Indeed, compliance with a
standard does not in itself confer immunity from legal obligations. For organizations that so wish, an
external or internal auditing process may verify compliance of their OR management system to this
Standard. Verification may be by an acceptable first-, second-, or third-party mechanism. Verification
does not require third-party certification.
This Standard does not include requirements specific to other management systems such as those for
quality, occupational health and safety, or financial risk management – though its elements can be
aligned or integrated with those of other management systems. It is possible for an organization to
adapt its existing management system(s) in order to establish an OR management system that
conforms to the criteria of this Standard. It should be understood, however, that the application of
various elements of the management system might differ depending on the intended purpose and the
stakeholders involved.
The level of detail and complexity of the OR management system, the extent of documentation, and the
resources devoted to it will be dependent on a number of factors – such as the scope of the system; the
size of an organization; and the nature of its activities, products, and services. This may be the case in
particular for small and medium-sized enterprises.
51
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
This Standard provides a common set of criteria for security management, preparedness, emergency
management, disaster management, crisis management, and business continuity management
programs. Terminology used in this standard emphasizes commonality of concepts, while
acknowledging nuances in term usage in the various disciplines. For example, risk assessment
includes analysis of risk, vulnerability, criticality, and impacts (consequences); however, some
disciplines emphasize impact analysis. Therefore, in this document, the overall process is referred to as
“risk assessment and impact analysis”.
52
ASIS SPC.1-2009, ORGANIZATIONAL RESILIENCE STANDARD
Annex F
(informative)
F BIBLIOGRAPHY
F.1 ASIS Publications
NOTE: The document below is available from ASIS. < http://www.asisonline.org/guidelines/ >
Business Continuity Guideline: A Practical Approach for Emergency Preparedness, Crisis Management, and
Disaster Recovery, 2005.
53
ASIS International (ASIS) is the preeminent
organization for security professionals, with more
than 37,000 members worldwide. Founded in 1955,
ASIS is dedicated to increasing the effectiveness and
productivity of security professionals by developing
educational programs and materials that address
broad security interests, such as the ASIS Annual
Seminar and Exhibits, as well as specific security
topics. ASIS also advocates the role and value of the
security management profession to business, the
media, governmental entities, and the general public.
By providing members and the security community
with access to a full range of programs and services,
and by publishing the industry’s number one
magazine, Security Management, ASIS leads the way
for advanced and improved security performance.
For more information, visit www.asisonline.org.
1625 Prince Street
Alexandria, Virginia 22314-2818
USA
+1.703.519.6200
Fax: +1.703.519.6299
www.asisonline.org
ISBN: 978-1-887056-92-2